---
title: Self-Signed Certificates
description: Learn how to configure Terrateam to trust self-signed certificates
---

import { Steps } from '@astrojs/starlight/components';

Terrateam supports the use of self-signed certificates for secure communication with services in your infrastructure. This is essential when working with internal services, private registries, or enterprise environments that use custom Certificate Authorities (CAs).

## How It Works

Terrateam automatically installs any custom CA certificates provided through environment variables that follow the `CUSTOM_CA_BUNDLE_*` naming pattern. These certificates are added to the system's trusted CA store before any Terraform operations are executed, ensuring that all tools (Terraform, cloud CLIs, git, etc.) can properly validate SSL/TLS connections.

## Configuration Methods

There are two primary ways to configure custom CA certificates in Terrateam:

### Method 1: Using VCS Variables (Recommended)

This method stores your certificates as variables in your VCS provider, making them available to all Terrateam operations automatically.

<Steps>
1. **Navigate to your repository's settings**:
   - **GitHub**: Settings → Secrets and variables → Actions → Variables
   - **GitLab**: Settings → CI/CD → Variables

2. **Create a new variable**:
   - Name: Must start with `CUSTOM_CA_BUNDLE_` (e.g., `CUSTOM_CA_BUNDLE_CORP`, `CUSTOM_CA_BUNDLE_INTERNAL`)
   - Value: The complete certificate content including headers
   - Type: Variable (not secret, as certificates are not sensitive)

3. **Add your certificate content**:
   ```
   -----BEGIN CERTIFICATE-----
   MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
   [... certificate content ...]
   nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6
   -----END CERTIFICATE-----
   ```

4. **The certificate is automatically installed**:
   - Terrateam detects all `CUSTOM_CA_BUNDLE_*` environment variables
   - Certificates are written to `/usr/local/share/ca-certificates/`
   - System CA store is updated via `update-ca-certificates`
</Steps>

### Method 2: Using Terrateam Configuration

You can also define custom CA certificates directly in your Terrateam configuration file using hooks and environment variables.

```yaml
hooks:
  all:
    pre:
      - type: env
        name: CUSTOM_CA_BUNDLE_INTERNAL
        cmd: ['sh', '-c', 'cat <<EOF
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKLdQVPy90WjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
[... certificate content ...]
nI7bfRn4YjSSiXzPuQVh66IYHIvw+xP6
-----END CERTIFICATE-----
EOF']
```

:::tip
Using VCS variables is preferred as it keeps certificates out of your configuration files and makes them easier to manage and rotate.
:::

## Multiple Certificates

You can add multiple custom CA certificates by using different variable names:

```bash
CUSTOM_CA_BUNDLE_CORP="-----BEGIN CERTIFICATE-----..."
CUSTOM_CA_BUNDLE_INTERNAL="-----BEGIN CERTIFICATE-----..."
CUSTOM_CA_BUNDLE_PARTNER="-----BEGIN CERTIFICATE-----..."
```

Each certificate will be installed separately and all will be trusted by the system.
